[Community-sigs] signature of JS downloader
Jean-Baptiste Lanel
jb at lanel.eu
Wed Dec 7 13:13:25 EST 2016
Hello,
I found only one sample for the second signature. unfortunately I didn't
keep any example for the 1st one.
For unencrypting the file :
openssl aes-256-ecb -a -d -salt -in JS.ActiveX.Downloader.aes -out virus.eml
Passwd : clam
Regards,
JB
Le 07/12/2016 à 18:57, Christopher Marczewski a écrit :
> Jean-Baptiste,
>
> Any chance we can get the e-mail samples, or do these messages contain
> sensitive information not suitable for disclosure?
>
> On Thu, Dec 1, 2016 at 10:23 AM, Christopher Marczewski <
> cmarczewski at sourcefire.com> wrote:
>
>> Hello Jean-Baptiste,
>>
>> Thank you for your submissions. We'll be proceeding with signature reviews
>> and will get back to you as soon as possible.
>>
>> On Wed, Nov 30, 2016 at 9:37 AM, Jean-Baptiste Lanel <jb at lanel.eu> wrote:
>>
>>> Hello,
>>>
>>> An other one that caught 10 emails since yesterday :
>>>
>>> echo "JS.ActiveX.Downloader:7:*:6e657720616374697665786f626a65637
>>> 4282261646f64622e73747265616d22293b*6e657720616374697665786f
>>> 626a6563742822777363726970742e7368656c6c22293b*6e65772061637
>>> 4697665786f626a656374282261646f64622e73747265616d22293b" |sigtool
>>> --decode-sigs
>>> VIRUS NAME: JS.ActiveX.Downloader
>>> TARGET TYPE: NORMALIZED ASCII TEXT
>>> OFFSET: *
>>> DECODED SIGNATURE:
>>> new activexobject("adodb.stream"){WILDCARD_ANY_STRING}new
>>> activexobject("wscript.shell");{WILDCARD_ANY_STRING}new
>>> activexobject("adodb.stream");
>>>
>>> (I'm not really confident with the naming convention)
>>>
>>> Regards,
>>>
>>> JB
>>>
>>>
>>> Le 2016-11-24 22:27, Jean-Baptiste Lanel a écrit :
>>>
>>>> Hello sigmakers,
>>>>
>>>> In case it may help, just received 3 mails caught by this :
>>>>
>>>> jb at newaude:~$ echo
>>>>
>>>> "JS.HILLARY.Downloader:7:*:28295d2822722c752c6e2c642c6c2c6c2c332c3222"
>>>> |sigtool --decode-sigs
>>>> VIRUS NAME: JS.HILLARY.Downloader
>>>> TARGET TYPE: NORMALIZED ASCII TEXT
>>>> OFFSET: *
>>>> DECODED SIGNATURE:
>>>> ()]("r,u,n,d,l,l,3,2."
>>>>
>>>> Regards,
>>>>
>>>> JB
>>>>
>>>> _______________________________________________
>>>> Community-sigs mailing list
>>>> Community-sigs at lists.clamav.net
>>>> http://lists.clamav.net/cgi-bin/mailman/listinfo/community-sigs
>>>>
>>>> http://www.clamav.net/contact.html#ml
>>>>
>>> _______________________________________________
>>> Community-sigs mailing list
>>> Community-sigs at lists.clamav.net
>>> http://lists.clamav.net/cgi-bin/mailman/listinfo/community-sigs
>>>
>>> http://www.clamav.net/contact.html#ml
>>>
>>
>>
>> --
>> Christopher Marczewski
>> Research Engineer
>> Talos Group
>> cmarczewski at sourcefire.com
>> Phone: 443.430.7118
>>
>
>
-------------- next part --------------
U2FsdGVkX1+6BzzHaWFzwK6iLNnFfdmLwhZOSHhnelnnl6BPKGWOci4jinKLLaZ0
ghs+FICycAPfRXX2fAxYRzO/ZgFByIN/4PmX6Q28d6LaGD/7opmfXzmho6cP2AJZ
Xun/wqfKbdBgUy5AKuu9+21I4cxcklV2fIug1KiwMZrWWTX11EJPV7CHCFwkt97z
T8sIu7COfBgpM9UiF3ZiLxHDiDGcXKOE9jzuG3U8hzxeCpQABvQYuRJ5XwwDrmCo
66CAifRe9B7R1W2PrMSBCt53onjAp53ppSRwgw2ysKf8l3yJgNRWce1E3YHW0inu
mcznW5Ztf8rWkS749nrPvD5UfQb3rANR798HJk091lXS4L2tvysaI9uX9bivwoLN
Lorcjb72GhA/h88tc36qBja3W8Pg2ArnG3bKBqMW34NbofRqcedoHImvB4uYHKch
A5DEp4Vk4Rtk0sfHWgJYu185hz3EXvBV9U6f+MEV5v3B2UXNViJkPaEKwOa1eWkv
4okJan31RBY7pA+oqVTnKQjIBL2FRKY0bpc9GsrBhRtpC3Pk97OMnnGP2+IUOHbq
mf1TK5LX7LhjDoePQfpH91gNh9itTPYtKAUMfT0m4as5DB0KkrP1HxhAiTdRTBpR
Qg2js0EleUjYTPNwOO+wS4bIsS2qPizIyHYr/5sdpK44EHXAioAUJSkc1N1TUNl/
b8sXVDeN7jELWZqpNChessG5o4vCKORHyN0jgoQNRdqIkgmVB5WDpMcZ8ziBW8mk
hJIZ/KkclUPg2XBzpHX+8tkRCv3hASIG/x49hd/LfvOpqW5gNWD9THtPdRtXBuh5
ufbEwSQ5U0xr2pB9AIShq3T5hv79SuqDoSCg7y+IMWR/FY93I6fU2CJnBoUpimSo
/yIYZUO0H2nIMFaKFtzCJQStZati0f6yr3YTC+bS6mBwc4rStsMad6fWL5h9l6XR
mYNsvkfpi49OoX6b7GHmOrvJJvZyGsLMvK2Db6ZPc/IEDl2z8rqqfjANTbmG5Ssv
Yd1U427EQjbUloXlF+ciTlixI0zkpCelwjPafbVoFVxS+adMJN7soJW4PIM2U3AR
8bXS7XkUvVSDU15cm2zxiHLl79eunNf2MtXnkvrqWsK8sEn3xwC3jKDSa070DhlD
y+T+bQ+4Rn6dr3sxoIGt9Ze6Gb0UsNJwoJvogKR6OiO4j83NoSytFEXlIfU5mcwW
/H3c4QP3n8lO2pAdwBhYdJcSi95CrfmZl8qZeNb7HGxQA2UwrMGlTDdN5Z8Iuvrq
tUksrgyGK2o/V3T5sVfhwneRYnzPeUQPYpx1CO/OpF2F4ymn0kjMa5WojWseuZ7Q
elg7ZDsZQOF88uSNdecbk/WCrvEbWJ4tL9iahMOSfs3ffu9nfpVYsjvwq/BL6MSe
W1f9RbOrQGnujwXMQY2/Rj+MRZp+PeBMipXgRxVWl72j/OBUr0mMBoFVi+8uL1Z9
a9murwARqxW2rtpmttnbpEMi/yqIbAqJK56FM2S8YLY//AKovYZKzXFT2QvsR2I0
0/iGim21U2PkCx52vDhz99HO9v1Pe8DjPQzSSZjXBj+BnTVF5MToIuguMPtC/Cjq
viTFKWj4xHUETi+Ae4JZ5cOaLG+N5ZxXsMXt88i5ewXDe5CusQM3qHR4/sjKJUE9
yKXGTp+sPYzonvyYeP3JBR9p25ETaNbZfsjFK2hSxcPWP9Y4aA1/Hp2cdFy8jZ/X
bHh5yKz+gTfNajnAWNni2ykIEFFj/alpIMpB424QnFvdgvhuFNQLpGzErievaJ8C
DuWzEM7IAvZpa+SJoVegOgB6HoZcMMI8gKcw9R1hR781UNZdgU8K8A+TGHPGPiVB
HcAxuby/p8SJhymlU2RYKgXHRprjaVXyc1Lpv/iakMJ6sRR8Fjp/gfFDJZs9ppoI
OGU/duEcwNRzCa3ZNZE2bg4uAHFyMy/7Ca/pzJ9J3PZRfkM7ISArdXo5wkn/ISB6
fYnZ2EL2NVt5t1Vypc2VbxfIwTQaNCjW35xDqRmucSUMtxk7FK9CwjVAQsklNJCu
RlTJzg/VOQrd9TVbb6kDfT0CfW3T357dknCikrQCYZ+kzlOd0wzwbtDyrj5dw2LO
7nmURBQrzOEP7wcL5rLCKJ70TNfNIBA4hvPlojGERhvILetv8gAYbFjwpSCOpcpR
55Q+VyYaeHhDaOEgOGKLQ+Rbd2F78z+hFPi/6LgrdwIH+IQjvkz5yh7lXbSMdfMs
yCTJjawTTCv4ZSRfEFOnZDbuY1H/7gU6ouIgzWuUFmrOcUFuGB/HRe28A7Z9vU6s
LVMopE2fA0YI+W0UrqoY0LpgDS4ptsXMrLcC0DdnQU3LhC1gJnzRzPFOJhYo6Mp0
PlPgY4pTYRzz4n1vDrCS3+ZXZfSnPj1p5vI5GuEn7Jb2CIQGLPYbEolQrOojvAbF
WwRSgs148/2tSf6fjEBH2YiQeY1+A2Chd6e/YjkXkXcvqOViIm+eSxJ/AWqrMX7C
2A6YFcNZv/C//qQrx3sZcX63oSiNwXIxSpKybTBkC9onhSE3VSRMnXdivgXVDpM5
vOYK/uo6BARxgstmhEgfspK40ZxjudhS+uxqzGPCpgkLPlyZu+iZOYa+nUSO6FzO
pOmIV4NesOzqSSVi6PBWV0odnzuNgqQ4sHZkAmpuCH55lDU/5R7KSWiJyGV3xxqZ
725YuM5B4WjY/RUE/SNRv6Zh+gJA80NybR6oFbwvrZAcU45sqcyaqvuwh+5cB5Cl
ofoGSva9XgC+y28XxnIOg0tjdKOVUETSKzY3bCVuwplKPgsnqowx765kpN2k+sZN
mWM9Q1TYyfZd8+ZTOJmiUjMhh7BEXSFaFNHLlFpdalLBW5Z/FKe7klGzE0ztnviD
ZP/xawVoLY0AE+vlg3XDQdtcV/RMg5DKfhxcd3TW6/UARpFjcVJtC9u56MdLr8BN
MkZUdbVFEf/5Gkp6QgqF+xsiZpUpKzsbX9hMRmFeBfIP6/3GyyAOBdVkkPPm0diy
m0ueM6UtQmqpvU/hSejEXCqi2daSVUk6eflOMi2oPy0/R7NGpZAFSf3uuigcMIIF
9L9R5JgSQuUYE6Pqg6vTMuJ0ladkgMozVj9CBA96HLbg/FLmy1KmRbvv+4WtF8E7
9JUlPo3SS3ZjEo7ZeRjztqMXB65yPVOcT9FqqX4FH682kKcDdQYSd7gQ3b8XPgZ9
uqmlXtIQ1bRYkU6Sl6dbDZyOTUnzhD35kOrzJqeCrTWjOueCA8MT/7FaeXSyTMRV
F+sFij0/hENhp25QVsdsPdT64p/tyqVF7d4eSPjArNOWZfm3yZQ3LFh1JldcStow
Kb2EgSgA7nzqR4Am89IrtGNkWiBqMFCB8OKAqUTd9EzHQAm0C4qEuDOVmE5QQf5g
fDs1/DNWRZZD7BIWUJ+EGg/nhSk3GZWmIU44kU97uYBRNAr1ASm9sC2dBymOIr6Z
hiWoEsG29cIwv+pAsgzQkqHt2pyKJW8M7byOyqz9Dn8L684icUo36BsH+jP11KaT
9hhWsTkj/qKbxB+W0CHY4zqZM/1a1kpSumn4jSKYU8l+IFEgOLaro1K7A2orrFhU
tu+8+TKQmXfZyb09SIAmZP8Jcor8IFIrgHX0wKw3+W+2EHpbjkIgFSYMx3VVfKyp
mXMpNA2z68ZKKW8aPyojqOrffXmyYJJjEXJA28fLrZhYWMdt3YRCPdcIcU7K0qij
164aOXay7WCDOCxBW9P+tFg3DUYaIRKsJ07LUpopUoMfYGRQU6T8vKO+6EnMpn9g
bpCOsyN627qBbI0HD0CND21aT1XiEn4C/oEzMzDp7YqnupVkxUi5x7vGOa6PF3Iv
tqEZ1/TnnW4etzuXvL+d7rgjpX8IvKH+UziAtMNVRbFQOCsniTcaFMNxoVtXyEWH
kC2W4g/iXDgO9OgKh1XOwbL6IQfzIkaoGt8iuRnVogimgullmoFEU6T/JCJcr0kB
C04s425MF8z2XZvJBqCq4I6EZZQpow2r4iczrHfWK8oR+DnValDUL61sLYdM0YoL
CwXmJOURUP8yofiTlym4zMsWQ5Zyo2Hl3PguX7JZAyEMCXAP85K5Y1jGA8VFHhp7
MNpKa1cWjOQ4LOOl2y07IxYjov1KUjuDyyfaJcZ1rgIQCiclVrMbCLIWFbkrYZ90
nFU1J0H2DV3q8ZloktDZd7eQGsL4NEfx+SGnibAH98WCHKQOifRYSDqtP/24dmOC
P7bVNNlBlfpuKquIRApjS8kC+K4ZBuOgbygT5dTiBDKX+sNmNP5aQBnExP8v+3/l
xdAIUDzTga8HN7efHLbUgCgVaxBkDygRiru+HYF4c0ORIRi3fPqj00iB1KKHaYQA
ytZYDPf8RJPOICVhtSNC+6/RJRLb7VecBHZ8ndOxsCrxIR2XL7TAYoRnbUulOK1y
44b6shdOKI1FWLPRBeV6jo92hNQtWXkVNT6LZSM7PAB9BQn+RDmAV2GOURicvIKH
XvilBI+lSvvWwBIl57XaJ9swWHlKSpbwI2Uul+2oWht+ODTI6Yv5TG8OYrrpLEwH
gAmqYLQfpHYTRo22ZxCzdQFW8VjoJL4JSkclU05ZXXDLZTb/crqtY7qMF+0LLtUw
7JPcAgMJVQg8nL6qjJisJFG8zOW5dgSKb1GGXMOWBLkcCrpE7CprPUMlTNC6P2fK
Uk1MZ2y4RzLE4t1QIIANVsr5Ll/O162lIu/YN3Y5A2fEmAwCHJCFeQUhV/6b+TvA
uSESsIAM7db7VCZ4hArBKpJU8AVKky1TtG2MV4Vj0AuBYMxoRNbAKgkBtX9H5B5R
cDz1GLe3QyGCpN/l2fGgPGp0iUzvxB0lOa3MW0MxOtJIUi7xfoU3FWFTg1Rire7b
2qoRglg6YjvQ5bZeKLICtf60y7bbCfS2esCL3Uh/E+cptEhFSaaMo+vJ/V3Yu1qg
AZreIhQzHGBwfdYgKTS0HGC3qUYtGw8f03l9PlxUQzhmkF1J2TJnVDCntpk5ZnEZ
fIsJq6ECjCqXuwagIl29sc9pMC4RhhVAujim23+NpF24Ilz3+mJrRDzIwg8xI0jV
qi0GZqd59ZnwhJRjnLSurdPFBakGYIbFHT+sg6INCJPB+CW1hhpz7N8eRvBktYS1
kDkScwfxoyGwqZiFGJaHXlT88b4GuciYod+DERfxgTqtdQsSXJI3VkvnSLu9F7EW
anbKBWxETd+1F8dTGteg2X3YRzvnjgZnUAK1mnhYXADEKr/NOa95W8SfJT//stW6
m8q+Vxrx3E7hUJHAR5gXoMQ8DXHL9St/fjwXnjmsNH28DW9TyfFzYZ8Q1TbetPiA
6xVc2e5GHJ8PrV/T63bzFgwQXr+OeG6moMl0wv8t8curFzglHurdWvdidu8yhO1R
JeDLXKoRSDSfltAfVbSeGraKtKNYTobEypSt/n1BtImcfcQNP6pqdnsI2s40T2Kv
nr7+Op38XtgsB0FersGrS7YipKotf6Gs0qB8a3MaNH1GRfCbeGOiadpP0DQ02yIt
dDFdz3X2mYk8dm6fH6jFi4JQP12FMqEtb/+RkzxSUDhmZvQe7tqkk6EWf8n2pnZl
XlnKPWx1YzTNceO8CwdM6VRBeT0GSts/MJomRTMJGiCGRJRv27z93yHToTFpVIAR
nWI6mE85+8XbwDRAkol0RCcZTfcy5YIKn9W1EMkiaYgpycZ/kmb/RcK7qRj+sg67
zwhOlYEOBpZc4rwH2KzL5yD+EQGVZw/gHiQD1cIUEcl2Tj2jApsaSB+Epqk3LQ/S
ZSWfixDiYDnuyDLve7uujNJu8YZFV1SnQ+fRMjoPEvx6k88LZju3yZUsu7ui2tZE
YFBsb9jO4uT7ghaDjf5XPXTXY55b478K0BnOOON5Zbpb84wKPn/afwAn57vjk6mA
R+x1QQmu7D5zzA+jLjNsGKn7F8pn8mejbmxbahncPW+UcB1idBSawYjqp2zrhOZQ
3rM3iaGtwbTpNwjOuV83xTQa6o9Nolrsol8DsxrZQkbtEqTWHRzPX+rLu6KjtIfO
rPcE8pS3HDZwX2fifXbgF+D5W8UYXEvS1ZnC3KpYQiBW3NMTNgvwWCfYNbWhBGdD
J1XIypnnmH2NmaobfpC/6N4tfwfnh4nF2+TvndarugTkGDdQjQNdP3OLpk9dsJhu
bXp4+sdBDGhCkhOKf6wvOIPtVH4ewQfLCU78LGsflQN401Q7e9+e4/FDE+sH2wx4
Ipy7CFwWHjI6NaCqVbO9mACxWUmtvrh4YnUlaCYstkTFndwjfbN+XBWxe0IcAjos
BKVtVTPf5Q7emlkbPEtEXpGkSi8tXUQP1WqG+KwdoAqTCO6B0exz3ZNJv7fKBZvO
hqasHTU7cTOeqZNAfI3t2xvXP4xVU/cfAS4CHkYIEEPOatqYFCXIdPdaS2gQKMcy
ld6Rl/Beh281AtELmmQTFbP+MnidVU7soT9dYP2WApPCaHgfm7Dp8CkTInsvnGMI
qAHuKKfJNYFJ155TXBA3Vc04EPpwt2UMaUdll9XwOkTDmD8Aa1SUNpwyR5FfRrl8
QSVReL2YyH1dahly+UxdhKTmRNW2NNZRRerEdSIgZD67T/6c7jR/a0wwLCu3F59d
0cP76Ufj4zYKtcz86lLdlfBLQ+iX2ObEZWjqLcn6ZaHiXQKdI7xm8ryIF80882SA
nNXT/c/EVyhAVArbhgCUTK44m6n2D+eulszxKPVIIzm8FJYvQuwAIwiwcSCULSk8
I5ol/J+XbHQLpMdtxoTVX4/gR7WSWtK6m5ctHm5K+GpepWKCAoGu43pNWohiglf5
smr2Qf2jHgSrOzYRocn3J+jVF5k8GhSJqECxSSZUy3JyTjPoKKef/WeA8z7mtLd7
AjZjgSEiQb9TuArrGWXPpoSxYqOc1gFJzKo5zW5u7gFtcCTmRNEKGleUODdOdXwc
EhujUbjWiVSpmeCGNmn5uZNo2Sr0jjWb0rf9A4XRLhaQYCTt8VZucTRsn2Y6fK/j
c5iy1Q9e5ytN5UdV4WmA3KjNFVc8WBJpitAw88jcPStaEtsxkftPuwlGktA7NeNl
duQnvADCeEfILhvf2dp+ji8UxgCHeO14AUuha7gm1cyumVTj/TRPLVx7rndRrsF2
LuRDtz96PNbKLPm7ugsB2sYsJpi8CG+Yttv9E35u7PAd5Xc6tsspxuj1rPZYIOwK
4zw8pq7ED9GPF2hjq+daNwRoitkU5kl53XI90osElN34DXXed5+s8sBT7celple6
qZa52dTzw7Y2YZSMbwwsdfePecAkEjG+TArPL6C0FlwAeh6GXDDCPICnMPUdYUe/
cfkZEoMrnPyIibmJI00k3A==
More information about the Community-sigs
mailing list